Loading...
Back

How to change rule actions for AWS WAF v2

AWS WAF v2Old PlanNew PlanAdvancedLegacyUsage

Overview

If you are using WafCharm on AWS WAF v2, the procedure to change rule actions varies based on the rule policy you choose. If you are using the Advanced rule policy, please change the rule actions from the WafCharm Console. If you are using the Legacy rule policy, please change the rule actions from the AWS management console.

Procedure

Advanced

Regular expression rules

  1. Sign in to the WafCharm console.
  2. Click [WAF] from the left menu.
  3. Click the WAF Config for the rule action that you want to change.
  4. Click the [Rule configuration] tab on the details page.
  5. Click the [Edit] button.
  6. Click the [RegexPattern] tab.
  7. Change the rule action displayed next to the rule names under the [Rule name] list.
  8. Click the [Add] button.

You can also change rule actions of other rules with the same procedure. For example, if you enabled bot rules and want to change the rule action of the specific bot category, you can do so by following the similar steps.

For Count or Block actions, the rule action can be changed in a batch from the buttons placed next to [Regex list].

Click on the [Change all actions to Count] button if you want to change all rule actions to Count, or click on the [Change all actions to Block] button if you want to change all rule actions to Block.

Dynamic Denylist rule

  1. Sign in to the WafCharm console.
  2. Click [WAF] from the left menu.
  3. Click the WAF Config that you want to change the rule action.
  4. Click the [Rule configuration] tab on the details page.
  5. Click the [Edit] button.
  6. Go to the [Dynamic Denylist] section under the [IP address] tab.
  7. Select the rule action to use (Count or Block) from the pull-down menu.
  8. Click the [Add] button.

Limitations and Notes

  • The Advanced rule policy can only be used with new plan/MP ver.
  • Please refer to the Notes on Challenge and CAPTCHA for more information on these actions.
  • Immunity time will be set to 300, which is AWS WAF's default value.
    • If you want to change the immunity time from the default value (300), please create a rule from the AWS management console or request customization from the WafCharm support team.
  • Rule actions specified on the WafCharm Console take precedence.
    • You cannot change the rule actions of rules that do not have the rule action options, such as allowlist.
    • If you change the rule action of WafCharm rules on the AWS management console, the rule actions will be overridden by the actions specified in the WafCharm Console. If you want to change WafCharm rules' actions, please use the WafCharm Console.
  • Please note that we cannot guarantee the operation if you change any settings (e.g., conditions) other than the rule action of the rules provided by WafCharm.
  • WafCharm's regex rules are intended to detect attacks or suspicious requests, so rule action Allow is not provided as an option.

Legacy

  1. Sign in to the AWS management console.
  2. Open AWS WAF.
  3. Open the target web ACL.
  4. Open the rule group of the rule you want to change the rule action of.
  5. Click [Edit].
  6. Choose [Override to Count] on the drop-down menu on the bottom of the rule name under the [Rule] section.
  7. Click [Save rule].

If you want to change the rule action back to Block from Count, click [Remove Override].

You can use the [Override all rule actions] drop-down menu to change rule actions of all the rules inside the rule group. If you want to remove the override, click on the [Remove all overrides] button.

Limitations and Notes

  • Please note that we cannot guarantee the operation if you change any settings (e.g., conditions) other than the rule action of the rules provided by WafCharm.
  • WafCharm's regex rules are intended to detect attacks or suspicious requests, so rule action Allow is not intended to be used. Please refrain from using the Allow action to avoid explicitly allowing attacks or suspicious requests.